summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJustus Winter <4winter@informatik.uni-hamburg.de>2014-03-30 19:20:05 +0200
committerJustus Winter <4winter@informatik.uni-hamburg.de>2014-03-30 19:20:05 +0200
commit04fc869149c3ae10d3835049738818e68174d05d (patch)
treea65edd7f02ab50028d5d8de659620ded21ac8df3
parentbdc34d0383ffd80bc76b24619b26df29307243e0 (diff)
Add portseal
-rw-r--r--Makefile38
-rw-r--r--README57
-rwxr-xr-xbin/portseal247
-rw-r--r--libportseal/Makefile12
-rw-r--r--libportseal/jhash.h256
-rw-r--r--libportseal/portseal.c271
-rw-r--r--libportseal/portseal.h73
-rw-r--r--share/portseal/portseal.cocci117
-rw-r--r--test/Makefile8
-rw-r--r--test/test.c102
10 files changed, 1181 insertions, 0 deletions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..28a9d56
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,38 @@
+# Copyright (c) 2014 Justus Winter <4winter@informatik.uni-hamburg.de>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+all: libportseal libpinniped
+
+.PHONY: libportseal
+libportseal:
+ $(MAKE) -C "$@"
+
+.PHONY: libpinniped
+libpinniped:
+ $(MAKE) -C "$@"
+
+.PHONY: check
+check: all
+ rm -rf -- test-obj
+ cp -a test test-obj
+ (cd test-obj && ../bin/portseal patch)
+ $(MAKE) -C test-obj
+ bin/pinniped test-obj/test
+ (cd test-obj && ../bin/portseal unpatch)
+
+.PHONY: clean
+clean:
+ $(MAKE) -C libportseal clean
+ $(MAKE) -C libpinniped clean
+ rm -rf -- test-obj
diff --git a/README b/README
index 74aab4a..4fbc636 100644
--- a/README
+++ b/README
@@ -4,6 +4,63 @@ portseal - tools to locate port management bugs
This is a collection of tools to find bugs related to Mach port
handling like port leaks at runtime.
+Requirements
+------------
+
+portseal is written in python and leverages coccinelle for the source
+transformation. libportseal requires liburcu.
+
+How to use it
+-------------
+
+Use "portseal patch" within the source of your target code to patch
+it, "portseal unpatch" to undo the change. "make check" demonstrates
+how to use portseal and pinniped to find both port leaks and wrong use
+of port management functions:
+
+% make check
+rm -rf -- test-obj
+cp -a test test-obj
+(cd test-obj && ../bin/portseal patch)
+[...]
+bin/pinniped test-obj/test
+dosth looked up 146
+test-obj/test: leaked send right 146
+test-obj/test[0x80489c3]
+test-obj/test[0x8048d05]
+/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c]
+test-obj/test[0x8048811]
+dosthelse looked up 148
+test-obj/test: leaked send right 148
+test-obj/test[0x8048d9d]
+/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c]
+test-obj/test[0x8048811]
+dosthglobal looked up 153
+test-obj/test: leaked send right 153
+test-obj/test[0x8048dc2]
+/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c]
+test-obj/test[0x8048811]
+allocated receive port 154
+test-obj/test: leaked receive right 154
+test-obj/test[0x8048c36]
+test-obj/test[0x8048dcc]
+/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c]
+test-obj/test[0x8048811]
+dolookupcwd looked up 108
+test-obj/test: mach_port_deallocate (1, 12345): (os/kern) invalid name
+test-obj/test[0x8048ce0]
+test-obj/test[0x8048dd6]
+/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c]
+test-obj/test[0x8048811]
+test-obj/test: mach_port_destroy (1, 54321): (os/kern) invalid name
+test-obj/test[0x8048cf5]
+test-obj/test[0x8048dd6]
+/lib/i386-gnu/libc.so.0.3(__libc_start_main+0xbc)[0x10aa69c]
+test-obj/test[0x8048811]
+% addr2line -e test-obj/test 0x8048c36
+.../portseal/test-obj/test.c:65
+
+
libpinniped
-----------
diff --git a/bin/portseal b/bin/portseal
new file mode 100755
index 0000000..bcb39b8
--- /dev/null
+++ b/bin/portseal
@@ -0,0 +1,247 @@
+#!/usr/bin/env python
+from __future__ import print_function
+
+# Copyright (c) 2014 Justus Winter <4winter@informatik.uni-hamburg.de>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+import difflib
+import logging as log
+import os
+import re
+import subprocess
+import string
+import sys
+
+log.basicConfig(format='%(levelname)s:%(message)s', level=log.DEBUG)
+
+base_path = os.path.dirname (os.path.dirname (os.path.abspath (sys.argv[0])))
+template_path = os.path.join (base_path, "share", "portseal")
+state_path = os.path.abspath (".portseal")
+portseal_h = os.path.join (base_path, "libportseal", "portseal.h")
+portseal_L = os.path.join (base_path, "libportseal")
+
+def pkg_config (pkg, what):
+ return subprocess.check_output (["pkg-config", "--"+what, pkg]).strip ()
+
+ldflags = "-L{0} -Wl,-rpath={0} -lportseal -ldl {1} {2} {3}".format (
+ portseal_L,
+ pkg_config ("liburcu", "libs"),
+ pkg_config ("liburcu-cds", "libs"),
+ pkg_config ("liburcu-mb", "libs"),
+)
+
+def template (x):
+ return os.path.join (template_path, x)
+
+def state (x):
+ return os.path.join (state_path, x)
+
+def make_state_dir ():
+ if not os.path.exists (state_path):
+ os.mkdir (state_path)
+
+def is_patched ():
+ return os.path.exists (state ("portseal.patch"))
+
+def template_apply (name, mapping, sink=None, **overlay):
+ log.debug ("applying template {0}".format (name))
+ with open (template (name)) as source:
+ t = source.read ()
+
+ m = mapping.copy ()
+ m.update (overlay)
+ for key, value in sorted (m.items (),
+ cmp=lambda a, b: cmp (len (a[0]), len (b[0])),
+ reverse=True):
+ t = t.replace (key, value)
+
+ if sink:
+ sink.write (t)
+ else:
+ with open (state (name), "w") as sink:
+ sink.write (t)
+
+def spatch (cocci):
+ includes = list ()
+ for i in (args.I or ["/usr/include"]):
+ includes.extend (("-I", i))
+
+ c = ["spatch",
+ "--no-loops",
+ "--no-gotos",
+ "--smpl-spacing",
+ "--include-headers",
+ "--sp-file", cocci,
+ "-dir", ".",
+ ] + includes
+ log.debug ("executing {0}".format (c))
+
+ return subprocess.check_output (c)
+
+def do_wrap_hack(s, r = False):
+ wraphack = 'PORTSEAL_WRAP_HACK'
+ if r:
+ wraphack += '_R'
+
+ def walk (s, i, direction, p):
+ while p != 0:
+ if s[i] == "(":
+ p += 1
+ elif s[i] == ")":
+ p -= 1
+ i += direction
+ return i
+
+ def skip_ws (s, i, direction):
+ while 0 < i < len (s) - 1:
+ if string.strip (s[i]):
+ break
+ i += direction
+ return i
+
+ def skip_nws (s, i, direction):
+ while 0 < i < len (s) - 1:
+ if not string.strip (s[i]):
+ break
+ i += direction
+ return i
+
+ while wraphack in s:
+ i = s.index(wraphack)
+ start = skip_nws (s, skip_ws (s, walk (s, i, -1, -1), -1), -1)
+ id_start = skip_ws (s, i + len (wraphack), 1)
+ id_end = walk (s, id_start + 1, 1, 1)
+ ident = s[id_start:id_end]
+ end = walk (s, id_end, 1, 1)
+ s = "{0} PORTSEAL_WRAP{1}({2}{3}, {4}){5}".format (
+ s[:start],
+ "_R" if r else "",
+ s[start:i],
+ s[id_start:end],
+ ident,
+ s[end:])
+
+ return s
+
+def patch (args):
+ if is_patched ():
+ return
+
+ make_state_dir ()
+
+ mapping = dict ()
+ with open (state ("portseal.cocci"), "w") as sink:
+ template_apply ("portseal.cocci", mapping, sink)
+
+ cocci_patch = spatch (state ("portseal.cocci"))
+
+ patches = list ()
+ patches.append (cocci_patch)
+
+ # add include to every file the cocci patch touched
+ for l in cocci_patch.split ("\n"):
+ if not l.startswith ("--- a/"):
+ continue
+ patches.append (make_patch (
+ l[6:],
+ lambda a: "#include \"{0}\"\n#line 1\n{1}".format (portseal_h, a)))
+
+ ldflags_re = re.compile (r"^(\s*LDFLAGS\s*=.*)(\\?)$", re.M)
+ for dirpath, dirs, files in os.walk("."):
+ if dirpath.endswith (".portseal"):
+ continue
+ for f in filter (lambda f: "Make" in f, files):
+ patches.append (
+ make_patch (
+ os.path.join (dirpath, f),
+ lambda m:
+ ldflags_re.sub (r"\1 {0} \2".format (ldflags), m, 0)))
+
+ with open(state ("portseal.patch"), "w") as h:
+ h.write ("\n".join (patches))
+
+ subprocess.check_call (
+ ["patch", "-p1"],
+ stdin=open (state ("portseal.patch")),
+ )
+
+ # wraphack
+ wraphack_patches = list ()
+ for dirpath, dirs, files in os.walk("."):
+ if dirpath.endswith (".portseal"):
+ continue
+
+ #continue
+
+ for f in filter (lambda f: f[-2:] in ('.c', '.h'), files):
+ try:
+ wraphack_patches.append (
+ make_patch (
+ os.path.join (dirpath, f),
+ lambda m: do_wrap_hack (do_wrap_hack (m, True))))
+ except IOError:
+ pass
+
+ with open(state ("wraphack.patch"), "w") as h:
+ h.write ("\n".join (wraphack_patches))
+
+ subprocess.check_call (
+ ["patch", "-p1"],
+ stdin=open (state ("wraphack.patch")),
+ )
+
+
+def make_patch (filename, mutator):
+ a = open (filename).read ()
+ b = mutator (a)
+ p = os.path.join ("a", filename)
+ def split(x):
+ return [l+"\n" for l in x.split ("\n")]
+ return "".join (difflib.unified_diff (split (a),
+ split (b),
+ fromfile=p,
+ tofile=p))
+def unpatch (args):
+ if not is_patched ():
+ return
+
+ subprocess.check_call (
+ ["patch", "-p1", "-R"],
+ stdin=open (state ("wraphack.patch")),
+ )
+
+ subprocess.check_call (
+ ["patch", "-p1", "-R"],
+ stdin=open (state ("portseal.patch")),
+ )
+
+ os.remove (state ("portseal.patch"))
+
+import argparse
+
+parser = argparse.ArgumentParser()
+subparsers = parser.add_subparsers(title='subcommands',
+ description='valid subcommands',
+ help='additional help')
+
+parser_patch = subparsers.add_parser('patch')
+parser_patch.set_defaults(func=patch)
+parser_patch.add_argument('-I', metavar='DIR', action="append",
+ help='add include directory')
+
+parser_unpatch = subparsers.add_parser('unpatch')
+parser_unpatch.set_defaults(func=unpatch)
+
+args = parser.parse_args()
+sys.exit(args.func(args))
diff --git a/libportseal/Makefile b/libportseal/Makefile
new file mode 100644
index 0000000..2e2cc5e
--- /dev/null
+++ b/libportseal/Makefile
@@ -0,0 +1,12 @@
+USE_PKG = liburcu liburcu-cds liburcu-mb
+
+CFLAGS = -std=gnu99 -Wall -ggdb \
+ $(foreach lib,$(USE_PKG),$(shell pkg-config --cflags $(lib)))
+LDFLAGS = -rdynamic -ldl \
+ -L. -lportseal \
+ $(foreach lib,$(USE_PKG),$(shell pkg-config --libs $(lib)))
+
+all: libportseal.so
+
+libportseal.so: portseal.o
+ gcc -shared -o "$@" "$<"
diff --git a/libportseal/jhash.h b/libportseal/jhash.h
new file mode 100644
index 0000000..673989d
--- /dev/null
+++ b/libportseal/jhash.h
@@ -0,0 +1,256 @@
+#ifndef _JHASH_H
+#define _JHASH_H
+
+/*
+ * jhash.h
+ *
+ * Example hash function.
+ *
+ * Copyright 2009-2012 - Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
+ *
+ * THIS MATERIAL IS PROVIDED AS IS, WITH ABSOLUTELY NO WARRANTY EXPRESSED
+ * OR IMPLIED. ANY USE IS AT YOUR OWN RISK.
+ *
+ * Permission is hereby granted to use or copy this program for any
+ * purpose, provided the above notices are retained on all copies.
+ * Permission to modify the code and to distribute modified code is
+ * granted, provided the above notices are retained, and a notice that
+ * the code was modified is included with the above copyright notice.
+ */
+
+/*
+ * Hash function
+ * Source: http://burtleburtle.net/bob/c/lookup3.c
+ * Originally Public Domain
+ */
+
+#define rot(x, k) (((x) << (k)) | ((x) >> (32 - (k))))
+
+#define mix(a, b, c) \
+do { \
+ a -= c; a ^= rot(c, 4); c += b; \
+ b -= a; b ^= rot(a, 6); a += c; \
+ c -= b; c ^= rot(b, 8); b += a; \
+ a -= c; a ^= rot(c, 16); c += b; \
+ b -= a; b ^= rot(a, 19); a += c; \
+ c -= b; c ^= rot(b, 4); b += a; \
+} while (0)
+
+#define final(a, b, c) \
+{ \
+ c ^= b; c -= rot(b, 14); \
+ a ^= c; a -= rot(c, 11); \
+ b ^= a; b -= rot(a, 25); \
+ c ^= b; c -= rot(b, 16); \
+ a ^= c; a -= rot(c, 4); \
+ b ^= a; b -= rot(a, 14); \
+ c ^= b; c -= rot(b, 24); \
+}
+
+#if (BYTE_ORDER == LITTLE_ENDIAN)
+#define HASH_LITTLE_ENDIAN 1
+#else
+#define HASH_LITTLE_ENDIAN 0
+#endif
+
+/*
+ *
+ * hashlittle() -- hash a variable-length key into a 32-bit value
+ * k : the key (the unaligned variable-length array of bytes)
+ * length : the length of the key, counting by bytes
+ * initval : can be any 4-byte value
+ * Returns a 32-bit value. Every bit of the key affects every bit of
+ * the return value. Two keys differing by one or two bits will have
+ * totally different hash values.
+ *
+ * The best hash table sizes are powers of 2. There is no need to do
+ * mod a prime (mod is sooo slow!). If you need less than 32 bits,
+ * use a bitmask. For example, if you need only 10 bits, do
+ * h = (h & hashmask(10));
+ * In which case, the hash table should have hashsize(10) elements.
+ *
+ * If you are hashing n strings (uint8_t **)k, do it like this:
+ * for (i = 0, h = 0; i < n; ++i) h = hashlittle(k[i], len[i], h);
+ *
+ * By Bob Jenkins, 2006. bob_jenkins@burtleburtle.net. You may use this
+ * code any way you wish, private, educational, or commercial. It's free.
+ *
+ * Use for hash table lookup, or anything where one collision in 2^^32 is
+ * acceptable. Do NOT use for cryptographic purposes.
+ */
+static
+uint32_t hashlittle(const void *key, size_t length, uint32_t initval)
+{
+ uint32_t a, b, c; /* internal state */
+ union {
+ const void *ptr;
+ size_t i;
+ } u;
+
+ /* Set up the internal state */
+ a = b = c = 0xdeadbeef + ((uint32_t)length) + initval;
+
+ u.ptr = key;
+ if (HASH_LITTLE_ENDIAN && ((u.i & 0x3) == 0)) {
+ const uint32_t *k = (const uint32_t *) key; /* read 32-bit chunks */
+
+ /*------ all but last block: aligned reads and affect 32 bits of (a,b,c) */
+ while (length > 12) {
+ a += k[0];
+ b += k[1];
+ c += k[2];
+ mix(a, b, c);
+ length -= 12;
+ k += 3;
+ }
+
+ /*----------------------------- handle the last (probably partial) block */
+ /*
+ * "k[2]&0xffffff" actually reads beyond the end of the string, but
+ * then masks off the part it's not allowed to read. Because the
+ * string is aligned, the masked-off tail is in the same word as the
+ * rest of the string. Every machine with memory protection I've seen
+ * does it on word boundaries, so is OK with this. But VALGRIND will
+ * still catch it and complain. The masking trick does make the hash
+ * noticably faster for short strings (like English words).
+ */
+#ifndef VALGRIND
+
+ switch (length) {
+ case 12: c+=k[2]; b+=k[1]; a+=k[0]; break;
+ case 11: c+=k[2]&0xffffff; b+=k[1]; a+=k[0]; break;
+ case 10: c+=k[2]&0xffff; b+=k[1]; a+=k[0]; break;
+ case 9 : c+=k[2]&0xff; b+=k[1]; a+=k[0]; break;
+ case 8 : b+=k[1]; a+=k[0]; break;
+ case 7 : b+=k[1]&0xffffff; a+=k[0]; break;
+ case 6 : b+=k[1]&0xffff; a+=k[0]; break;
+ case 5 : b+=k[1]&0xff; a+=k[0]; break;
+ case 4 : a+=k[0]; break;
+ case 3 : a+=k[0]&0xffffff; break;
+ case 2 : a+=k[0]&0xffff; break;
+ case 1 : a+=k[0]&0xff; break;
+ case 0 : return c; /* zero length strings require no mixing */
+ }
+
+#else /* make valgrind happy */
+ {
+ const uint8_t *k8;
+
+ k8 = (const uint8_t *) k;
+ switch (length) {
+ case 12: c+=k[2]; b+=k[1]; a+=k[0]; break;
+ case 11: c+=((uint32_t) k8[10])<<16; /* fall through */
+ case 10: c+=((uint32_t) k8[9])<<8; /* fall through */
+ case 9 : c+=k8[8]; /* fall through */
+ case 8 : b+=k[1]; a+=k[0]; break;
+ case 7 : b+=((uint32_t) k8[6])<<16; /* fall through */
+ case 6 : b+=((uint32_t) k8[5])<<8; /* fall through */
+ case 5 : b+=k8[4]; /* fall through */
+ case 4 : a+=k[0]; break;
+ case 3 : a+=((uint32_t) k8[2])<<16; /* fall through */
+ case 2 : a+=((uint32_t) k8[1])<<8; /* fall through */
+ case 1 : a+=k8[0]; break;
+ case 0 : return c;
+ }
+ }
+#endif /* !valgrind */
+
+ } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) {
+ const uint16_t *k = (const uint16_t *) key; /* read 16-bit chunks */
+ const uint8_t *k8;
+
+ /*--------------- all but last block: aligned reads and different mixing */
+ while (length > 12)
+ {
+ a += k[0] + (((uint32_t) k[1])<<16);
+ b += k[2] + (((uint32_t) k[3])<<16);
+ c += k[4] + (((uint32_t) k[5])<<16);
+ mix(a, b, c);
+ length -= 12;
+ k += 6;
+ }
+
+ /*----------------------------- handle the last (probably partial) block */
+ k8 = (const uint8_t *) k;
+ switch(length)
+ {
+ case 12: c+=k[4]+(((uint32_t) k[5])<<16);
+ b+=k[2]+(((uint32_t) k[3])<<16);
+ a+=k[0]+(((uint32_t) k[1])<<16);
+ break;
+ case 11: c+=((uint32_t) k8[10])<<16; /* fall through */
+ case 10: c+=k[4];
+ b+=k[2]+(((uint32_t) k[3])<<16);
+ a+=k[0]+(((uint32_t) k[1])<<16);
+ break;
+ case 9 : c+=k8[8]; /* fall through */
+ case 8 : b+=k[2]+(((uint32_t) k[3])<<16);
+ a+=k[0]+(((uint32_t) k[1])<<16);
+ break;
+ case 7 : b+=((uint32_t) k8[6])<<16; /* fall through */
+ case 6 : b+=k[2];
+ a+=k[0]+(((uint32_t) k[1])<<16);
+ break;
+ case 5 : b+=k8[4]; /* fall through */
+ case 4 : a+=k[0]+(((uint32_t) k[1])<<16);
+ break;
+ case 3 : a+=((uint32_t) k8[2])<<16; /* fall through */
+ case 2 : a+=k[0];
+ break;
+ case 1 : a+=k8[0];
+ break;
+ case 0 : return c; /* zero length requires no mixing */
+ }
+
+ } else { /* need to read the key one byte at a time */
+ const uint8_t *k = (const uint8_t *)key;
+
+ /*--------------- all but the last block: affect some 32 bits of (a, b, c) */
+ while (length > 12) {
+ a += k[0];
+ a += ((uint32_t) k[1])<<8;
+ a += ((uint32_t) k[2])<<16;
+ a += ((uint32_t) k[3])<<24;
+ b += k[4];
+ b += ((uint32_t) k[5])<<8;
+ b += ((uint32_t) k[6])<<16;
+ b += ((uint32_t) k[7])<<24;
+ c += k[8];
+ c += ((uint32_t) k[9])<<8;
+ c += ((uint32_t) k[10])<<16;
+ c += ((uint32_t) k[11])<<24;
+ mix(a,b,c);
+ length -= 12;
+ k += 12;
+ }
+
+ /*-------------------------------- last block: affect all 32 bits of (c) */
+ switch (length) { /* all the case statements fall through */
+ case 12: c+=((uint32_t) k[11])<<24;
+ case 11: c+=((uint32_t) k[10])<<16;
+ case 10: c+=((uint32_t) k[9])<<8;
+ case 9 : c+=k[8];
+ case 8 : b+=((uint32_t) k[7])<<24;
+ case 7 : b+=((uint32_t) k[6])<<16;
+ case 6 : b+=((uint32_t) k[5])<<8;
+ case 5 : b+=k[4];
+ case 4 : a+=((uint32_t) k[3])<<24;
+ case 3 : a+=((uint32_t) k[2])<<16;
+ case 2 : a+=((uint32_t) k[1])<<8;
+ case 1 : a+=k[0];
+ break;
+ case 0 : return c;
+ }
+ }
+
+ final(a, b, c);
+ return c;
+}
+
+static inline
+uint32_t jhash(const void *key, size_t length, uint32_t seed)
+{
+ return hashlittle(key, length, seed);
+}
+
+#endif /* _JHASH_H */
diff --git a/libportseal/portseal.c b/libportseal/portseal.c
new file mode 100644
index 0000000..f9523c6
--- /dev/null
+++ b/libportseal/portseal.c
@@ -0,0 +1,271 @@
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <errno.h>
+#include <error.h>
+#include <execinfo.h>
+#include <fcntl.h>
+#include <hurd.h>
+#include <mach.h>
+#include <malloc.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <time.h>
+
+#include <urcu.h> /* RCU flavor */
+#include <urcu/rcuhlist.h> /* RCU hlist */
+#include <urcu/rculfhash.h> /* RCU Lock-free hash table */
+#include <urcu/compiler.h> /* For CAA_ARRAY_SIZE */
+#include "jhash.h" /* Example hash function */
+
+#include "portseal.h"
+
+#if 0
+# define TRACE(X...) error(0, 0, X)
+#else
+# define TRACE(X...)
+#endif
+
+#define PORTSEAL_PORTS_SIZE 1000
+int ports[PORTSEAL_PORTS_SIZE];
+
+struct object {
+ struct cds_lfht_node node; /* Chaining in hash table */
+ struct rcu_head rcu_head; /* For call_rcu() */
+ struct cds_hlist_head ports;
+ unsigned long addr;
+ size_t size;
+};
+
+struct port {
+ mach_port_t *p;
+ struct cds_hlist_node node; /* Linked-list chaining */
+};
+
+static uint32_t portseal_seed;
+static struct cds_lfht *portseal_object_hash;
+static int portseal_is_initialized;
+
+/* Reference counting. */
+void
+portseal_increment (mach_port_t p)
+{
+ if (! MACH_PORT_VALID (p))
+ return;
+
+ if (p >= PORTSEAL_PORTS_SIZE)
+ {
+ TRACE ("port name %d >= PORTSEAL_PORTS_SIZE", (int) p);
+ return;
+ }
+
+ TRACE ("portseal_increment (%d)", (int) p);
+ __atomic_add_fetch (&ports[p], 1, __ATOMIC_RELAXED);
+}
+
+static char *mach_port_right_str[] =
+ {
+ "send",
+ "receive",
+ "send-once",
+ "port-set",
+ "dead-name",
+ };
+
+static void
+portseal_dec (mach_port_t p)
+{
+ if (! MACH_PORT_VALID (p))
+ return;
+
+ if (p >= PORTSEAL_PORTS_SIZE)
+ {
+ TRACE ("port name %d >= PORTSEAL_PORTS_SIZE", (int) p);
+ return;
+ }
+
+ int c = __atomic_sub_fetch (&ports[p], 1, __ATOMIC_RELAXED);
+ TRACE ("portseal_decrement (%d) to %d", (int) p, c);
+ if (c > 0)
+ return;
+
+ /* check hurd ports */
+ for (int i = 0; i < INIT_PORT_MAX; i++)
+ if (HURD_PORT_USE (&_hurd_ports[i], port == p))
+ /* the libc has a reference, it's fine */
+ return;
+
+ error_t err = 0;
+ mach_port_urefs_t refs;
+ mach_port_right_t typ;
+
+ for (typ = MACH_PORT_RIGHT_SEND;
+ typ < MACH_PORT_RIGHT_NUMBER;
+ typ++)
+ {
+ err = mach_port_get_refs (mach_task_self (),
+ p,
+ typ,
+ &refs);
+ if (err)
+ goto out;
+ if (refs)
+ goto leak;
+ }
+
+ out:
+ if (err && err != KERN_INVALID_NAME)
+ error (0, err, "error in portseal_check_leak");
+ return;
+
+ leak:
+ error (0, 0, "leaked %s right %d", mach_port_right_str[typ], (int) p);
+ void *array[20];
+ size_t size;
+ size = backtrace (array, 20);
+ backtrace_symbols_fd (&array[2], size - 2, 2);
+}
+
+/* Used as cleanup function when variables with storage class auto,
+ i.e. variables residing on the stack. */
+void
+portseal_decrement_p (mach_port_t *p)
+{
+ portseal_dec (*p);
+}
+
+void
+portseal_decrement (mach_port_t p)
+{
+ portseal_dec (p);
+}
+
+/* Used to wrap port assignments. */
+mach_port_t
+portseal_set_port (mach_port_t *p, mach_port_t new)
+{
+ portseal_dec (*p);
+
+ if (! MACH_PORT_VALID (new))
+ goto out;
+
+ portseal_increment (new);
+
+ struct object *o = NULL, *node;
+ struct cds_lfht_iter iter;
+ rcu_read_lock();
+ cds_lfht_for_each_entry (portseal_object_hash, &iter, node, node)
+ if ((unsigned long) node->addr <= (unsigned long) p
+ && (unsigned long) p < (unsigned long) node->addr + node->size)
+ {
+ o = node;
+ break;
+ }
+ rcu_read_unlock();
+
+ if (o != NULL) {
+ TRACE ("set port in object %p", (void *) o->addr);
+ struct port *port = malloc (sizeof *port);
+ if (port) {
+ port->p = p;
+ cds_hlist_add_head_rcu (&port->node, &o->ports);
+ }
+ }
+
+ out:
+ return new;
+}
+
+/* Memory management. */
+void *
+portseal_malloc (size_t size)
+{
+ struct object *o;
+ posix_memalign ((void **) &o, 8, size + sizeof (struct object));
+ if (! o)
+ return NULL;
+
+ void *p = o + sizeof (struct object);
+
+ cds_lfht_node_init (&o->node);
+ CDS_INIT_HLIST_HEAD (&o->ports);
+ o->addr = (unsigned long) p;
+ o->size = size;
+ unsigned long hash = jhash (&p, sizeof p, portseal_seed);
+ rcu_read_lock ();
+ cds_lfht_add (portseal_object_hash, hash, &o->node);
+ rcu_read_unlock ();
+
+ return p;
+}
+
+static void
+free_object (struct rcu_head *head)
+{
+ struct object *node = caa_container_of (head, struct object, rcu_head);
+ TRACE ("free_object(%p)", node);
+ free (node);
+}
+
+static int
+match (struct cds_lfht_node *ht_node, const void *_key)
+{
+ struct object *o =
+ caa_container_of(ht_node, struct object, node);
+ const unsigned long *key = _key;
+
+ return *key == o->addr;
+}
+
+void
+portseal_free (void *p)
+{
+ TRACE ("free(%p)", p);
+
+ unsigned long hash = jhash (&p, sizeof p, portseal_seed);
+ rcu_read_lock ();
+ struct cds_lfht_iter iter;
+ cds_lfht_lookup (portseal_object_hash, hash, match, &p, &iter);
+ struct cds_lfht_node *ht_node = cds_lfht_iter_get_node (&iter);
+ if (ht_node)
+ {
+ if (! cds_lfht_del (portseal_object_hash, ht_node))
+ {
+ struct object *del_node =
+ caa_container_of (ht_node,
+ struct object, node);
+
+ struct port *port;
+ struct cds_hlist_node *pos;
+ cds_hlist_for_each_entry (port, pos, &del_node->ports, node) {
+ portseal_decrement (*port->p);
+ *port->p = MACH_PORT_NULL;
+ free (port);
+ }
+
+ call_rcu (&del_node->rcu_head, free_object);
+ }
+ }
+ rcu_read_unlock ();
+}
+
+/* Initialization and teardown. */
+
+static void __attribute__ ((constructor))
+portseal_init ()
+{
+ portseal_object_hash = cds_lfht_new(1, 1, 0,
+ CDS_LFHT_AUTO_RESIZE | CDS_LFHT_ACCOUNTING,
+ NULL);
+ if (! portseal_object_hash)
+ error (1, errno, "Error allocating hash table");
+
+ portseal_seed = (uint32_t) time (NULL);
+ rcu_register_thread ();
+
+ portseal_is_initialized = 1;
+}
+
+static void __attribute__ ((destructor))
+portseal_destroy () {
+ rcu_unregister_thread ();
+}
diff --git a/libportseal/portseal.h b/libportseal/portseal.h
new file mode 100644
index 0000000..5ad06b0
--- /dev/null
+++ b/libportseal/portseal.h
@@ -0,0 +1,73 @@
+#ifndef __PORTSEAL__
+#define __PORTSEAL__
+
+#define _GNU_SOURCE
+#include <mach.h>
+#include <stddef.h>
+
+extern int ports[];
+
+void *portseal_malloc (size_t) __attribute__ ((malloc));
+void portseal_free (void *);
+
+mach_port_t portseal_set_port (mach_port_t *, mach_port_t);
+void portseal_decrement (mach_port_t);
+void portseal_decrement_p (mach_port_t*);
+void portseal_increment (mach_port_t);
+
+#define PORTSEAL_CLEANUP(T, I, V) \
+ __attribute__ ((cleanup (portseal_decrement_p))) T I = V
+#define PORTSEAL_CLEANUP_I(T, I, V, E) \
+ __attribute__ ((cleanup (portseal_decrement_p))) T I = V; \
+ portseal_set_port (&I, E)
+
+#define PORTSEAL_WRAP(F, P) \
+ ({ \
+ mach_port_t *_p = (P); \
+ mach_port_t _old = *_p; \
+ (F); \
+ mach_port_t _new = *_p; \
+ if (_old != _new) \
+ { \
+ portseal_decrement (_old); \
+ portseal_increment (_new); \
+ } \
+ })
+
+#define GCC_VERSION (__GNUC__ * 10000 \
+ + __GNUC_MINOR__ * 100 \
+ + __GNUC_PATCHLEVEL__)
+
+/* Test for GCC >= 34.9 */
+#if GCC_VERSION >= 40900
+/* use __auto_type */
+#define PORTSEAL_WRAP_R(F, P) \
+ ({ \
+ mach_port_t *_p = (P); \
+ mach_port_t _old = *_p; \
+ __auto_type _result = (F); \
+ mach_port_t _new = *_p; \
+ if (_old != _new) \
+ { \
+ portseal_decrement (_old); \
+ portseal_increment (_new); \
+ } \
+ _result; \
+ })
+#else
+#define PORTSEAL_WRAP_R(F, P) \
+ ({ \
+ mach_port_t *_p = (P); \
+ mach_port_t _old = *_p; \
+ typeof (F) _result = (F); \
+ mach_port_t _new = *_p; \
+ if (_old != _new) \
+ { \
+ portseal_decrement (_old); \
+ portseal_increment (_new); \
+ } \
+ _result; \
+ })
+#endif
+
+#endif /* __PORTSEAL__ */
diff --git a/share/portseal/portseal.cocci b/share/portseal/portseal.cocci
new file mode 100644
index 0000000..de1aeee
--- /dev/null
+++ b/share/portseal/portseal.cocci
@@ -0,0 +1,117 @@
+@dec@
+identifier I;
+@@
+mach_port_t I;
+
+@ptrdec@
+identifier I;
+@@
+mach_port_t *I;
+
+@ptrarg@
+identifier F, I;
+@@
+F (..., mach_port_t *I, ...) { ... }
+
+@@
+identifier dec.I;
+expression E;
+@@
+-I = E
++I = portseal_set_port (&I, E)
+
+/* The wrap hacks. */
+
+/* ... with return values. */
+@@
+identifier R, dec.I;
+identifier F !~ "^portseal_";
+position p;
+@@
+R = F@p(...,
+- &I
++ PORTSEAL_WRAP_HACK_R (&I)
+, ...)
+
+@@
+identifier R, ptrdec.I;
+identifier F !~ "^portseal_";
+position p;
+@@
+R = F@p(...,
+- I
++ PORTSEAL_WRAP_HACK_R (I)
+, ...)
+
+/* ... without return values. */
+@@
+identifier dec.I;
+identifier F !~ "^portseal_";
+position p;
+@@
+F@p(...,
+- &I
++ PORTSEAL_WRAP_HACK (&I)
+, ...);
+
+@@
+identifier ptrdec.I;
+identifier F !~ "^portseal_";
+position p;
+@@
+F@p(...,
+- I
++ PORTSEAL_WRAP_HACK (I)
+, ...);
+
+@@
+identifier F, I;
+expression E;
+@@
+
+F (...,
+ mach_port_t *I,
+ ...)
+{
+<...
+- *I = E
++ *I = portseal_set_port (I, E)
+...>
+}
+
+
+@@
+identifier I;
+@@
+{
+<...
+- mach_port_t I;
++ PORTSEAL_CLEANUP (mach_port_t, I, MACH_PORT_NULL);
+...>
+}
+
+@@
+identifier I;
+expression E;
+@@
+{
+<...
+- mach_port_t I = E;
++ PORTSEAL_CLEANUP_I (mach_port_t, I, MACH_PORT_NULL, E);
+...>
+}
+
+
+
+
+@@
+expression E;
+@@
+- malloc (E)
++ portseal_malloc (E)
+
+@@
+expression E;
+@@
+- free (E)
++ portseal_free (E)
diff --git a/test/Makefile b/test/Makefile
new file mode 100644
index 0000000..7fe7cbf
--- /dev/null
+++ b/test/Makefile
@@ -0,0 +1,8 @@
+CFLAGS += -std=gnu99 -ggdb
+LDFLAGS =
+
+all: test
+
+.PHONY: clean
+clean:
+ rm -f -- *.o test
diff --git a/test/test.c b/test/test.c
new file mode 100644
index 0000000..b3012d7
--- /dev/null
+++ b/test/test.c
@@ -0,0 +1,102 @@
+#define _GNU_SOURCE
+#include <errno.h>
+#include <error.h>
+#include <fcntl.h>
+#include <hurd.h>
+#include <mach.h>
+#include <stdio.h>
+
+void
+dosth (void)
+{
+ mach_port_t foo;
+ mach_port_t bar = MACH_PORT_DEAD;
+
+ foo = file_name_lookup ("/dev", O_NOTRANS, 0);
+ if (! MACH_PORT_VALID (foo))
+ error (1, errno, "file_name_lookup");
+
+ fprintf (stderr, "dosth looked up %d\n", foo);
+}
+
+void
+donothing (mach_port_t *p)
+{
+}
+
+void
+dosthelse (mach_port_t *p)
+{
+ *p = file_name_lookup ("/bin", O_NOTRANS, 0);
+ if (! MACH_PORT_VALID (*p))
+ error (1, errno, "file_name_lookup");
+
+ fprintf (stderr, "dosthelse looked up %d\n", *p);
+ donothing (p);
+}
+
+mach_port_t some_port;
+mach_port_t some_other_port;
+
+void
+dosthglobal (void)
+{
+ some_port = file_name_lookup ("/sbin", O_NOTRANS, 0);
+ if (! MACH_PORT_VALID (some_port))
+ error (1, errno, "file_name_lookup");
+
+ fprintf (stderr, "dosthglobal looked up %d\n", some_port);
+
+ some_other_port = some_port;
+ some_port = MACH_PORT_NULL;
+}
+
+void
+doleakreceive (void)
+{
+ mach_port_t foo;
+ error_t err = mach_port_allocate (mach_task_self (),
+ MACH_PORT_RIGHT_RECEIVE,
+ &foo);
+ if (err)
+ error (1, errno, "mach_port_allocate");
+
+ fprintf (stderr, "allocated receive port %d\n", foo);
+}
+
+void
+dolookupcwd (void)
+{
+ mach_port_t foo;
+ foo = getcwdir ();
+ if (! MACH_PORT_VALID (foo))
+ error (1, errno, "file_name_lookup");
+
+ fprintf (stderr, "dolookupcwd looked up %d\n", foo);
+}
+
+void
+gopinniped (void)
+{
+ mach_port_deallocate (mach_task_self (), 12345);
+ mach_port_destroy (mach_task_self (), 54321);
+}
+
+int
+main ()
+{
+ dosth ();
+
+ mach_port_t *p = malloc (sizeof *p);
+ dosthelse (p);
+ free (p);
+
+ dosthglobal ();
+ some_other_port = MACH_PORT_NULL;
+
+ doleakreceive ();
+ dolookupcwd ();
+ gopinniped ();
+
+ return 0;
+}